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DETAILED ACTION 

1. No new claims have been added. Claims 1-16 and claims 18-28 have been cancelled. 
Claim 17 has been amended. Claim 17 is pending in this office action. 

Claim Rejections - 35 USC §103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

2. Claim 17 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. Patent 
Application Publication Number 2004/0254934 issued to Mang-Rong Ho et al. (hereinafter 
"Ho") in view of U.S. Patent Application Publication Number 2005/0091658 issued to Jude 
Jacob Kavalam et al. (hereinafter "Kavalam") in view of U.S. Patent Number 5,260,551 issued to 
Tore Wiik et al. (hereinafter "Wiik") and further in view of U.S. Patent Application Publication 
Number 2004/0203589 issued to Jiwei R. Wang et al. (hereinafter "Wang"). 

Claim 17: 

The combination of Ho, Kavalam, Wiik, and Wang discloses an access control system in 
which a plurality of storage devices for storing information resources and access controllers for 
controlling accesses to the information resources stored in the storage devices are connected with 
a network, each of the access controllers having an access control list on which access right to 
each information resources stored in the storage devices is recorded, and each of the access 
controllers having an access prohibition list on which access prohibited users are recorded who 
are prohibited from accessing any information resource stored in the storage devices, 
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and Ho discloses each access controller comprising: 

an access restriction module (Ho: paragraph 10004], lines 1-9 and paragraph [0009], lines 7-9 and 
paragraph [0010], lines 7-9; The content management system is the access restriction module.) configured to 
restrict access to each information resource stored in a storage device and listed on the access 
control list of the access controller that records access right to each information resource (Ho: 
paragraph [0003], lines 2-9 and paragraphs [0028]-[0031] and paragraph [0078], lines 6-10; Note specificalhj in the 
first reference cited "storage of an access control list (ACL) for each data entity to which access is to be controlled. " 
Paragraph [0001], lines 9-11 defines a data entity.). 

Ho does not explicitly. disclose: 

an access interception module configured to restrict the access by reference to the access 
prohibition list of the access controller, which records user information of access prohibited 
users, prior to the access control list; 

at least one of the access controllers having the updated access prohibition list further 
comprising a distribution module configured to send out the user information or updated access 
prohibition list to the other access controllers in response to the update; and 

the other access controllers further comprising a list update module configured to receive 
the user information or the updated access prohibition list and to update the access prohibition 
list thereof to include the received user information or updated access prohibition list, 

wherein the distribution module of each access controller sends out the user information 
or the updated prohibition list to a predetermined other one of the access cpntrollers, thereby 
transmitting the user information or the updated prohibition list from one access controller to 
another. 
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Kavalam also discloses an access control module to control access to network resources 
with the use of access control lists (Kavalam: Fig. 1, 116 and paragraph [0062], lines 5-8). Examiner 
notes that Kavalam does not explicitly disclose the use of an access prohibition list (or black-list) 
to intercept or restrict user access, but Kavalam does explicitly suggest protecting system 
resources by strategies such as "lock down", isolation, and sandboxing of users or systems when 
either accidental or malicious actions occur that could harm system resources (Kavalam: paragraph 
[23], lines 23-28). In order to "lock down", isolate, or sandbox a particular user or system, a system 
administrator would have to have some means to detect that an accidental or malicious act which 
either has already occurred, is currently occurring, or may occur in the future. 

In order to satisfy the suggestion of combining additional methods of protecting system 
resources with the use of an access control module using access control lists, examiner asserts 
that it would have been obvious to one of ordinary skill in the art at the time the invention was 
made to modify the teachings of Ho, as suggested by Kavalam with the teachings of Wiik noted 
below (Note that Kavalam is not being used as prior art for any particular claim limitation. Kavalam is cited for 
the sole purpose of providing a suggestion to combine Ho and Wiik.). 

Wiik explicitly discloses: 

an access interception module configured to restrict the access by reference to the access 
prohibition list of the access controller, which records user information of access prohibited users 
(Wiik: column 5, lines 7-9; The black-list is the access prohibited user list. The black-list is stored in the RAM of a 
locking mechanism (access interception module), which intercepts the access of a user listed on the black-list. Note 
that a user obtaining the key could have access and be on the way to unlock the lockiytg mechanism (or access 



Application/Control Number: 10/786,072 Page 5 

Art Unit: 2163 

interception module). Then after the key is issued, the administrator could choose to add the user's name to the 
black-list. This immediately cancels the user's action rights and effectively 'intercepts' the access of the user.); 

at least one of the access controllers having the updated access prohibition list further 
comprising a distribution module configured to send out the user information or updated access 
prohibition list to the other access controllers in response to the update (Wiik: column 5, 7-11 and 
column 5, lines 56-63 and column 4, lines 32-38; The "lock communicator" (or admin access controller) oversees 
each individual locking mechanism (or access interception module or access controller). Since the lock 
communicator controls the access controller (locking mechanism), the lock communicator itself is also an access 
controller. From the cited references it can be see that the lock communicator (access controller) downloads 
(updates) new user information (user ID) to the black-list. The transfer of this information from the lock 
communicator to the locking mechanism must be done through a distribution module. Note specifically that the 
claim language recites 'AT LEAST ONE../ The Examiner has interpreted the claim such that only one access 
controller comprises a distribution module.); and 

the other access controllers further comprising a list update module configured to receive 
the user information or the updated access prohibition list and to update the access prohibition 
list thereof to include the received user information or updated access prohibition list (Wiik: 
column 5, lines 9-11; The black-list is updated by the lock communicator (or admin access controller) according to 
user ID's. Note that the update to the black list is received at the access controller (locking mechanism). There must 
be some form of receiving module to receive the update. Further note that the update to the black-list can be an 
addition ("lock communicator is used to fill the list with black listed ID's") or deletions ("lock communicator also 
has an un-black-list function").). 

wherein the distribution module of each access controller sends out the user information 
or the updated prohibition list to a predetermined other one of the access controllers, thereby 
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transmitting the user information or the updated prohibition list from one access controller to 
another (Wiik: column 4, lines 35-38 and column 5, lines 7-11; Note the lock communicator (admin access 
controller) sends out newly added user ID's to the black-list (prohibited list) which is stored in the RAM of 
individual access controllers (locking mechanisms). This updates the black-list. Further note that lock 
communicator (admin access controller) is used to configure all locking mecharusms (access controllers) (Wiik: 
column 5, lines 56-59). Since it is assumed that only one access controller has a distribution module (see 
Examiner's comments above), this limitation is not given patentable weight because it refers to something that 
essentially can't occur. Since only one access controller has a distribution module, additional access controllers 
cannot keep transferring the prohibition lists. Due to this interpretation, the cited combination of references still 
discloses all limitations of the Applicant's claimed invention.). 

It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to include a black-list, or prohibited user list, as part of an access controller (Wiik: 
column 5, lines 7-11). The skilled artisan would have been motivated to improve the invention of 
Ho per the above such that upon making a decision to cancel a given individual's access rights, 
the individual could be added to a black-list resulting in the immediate loss of access to a given 
resource (Wiik: column 5, lines 7-11 and column 8, lines 11-14). 

The combination of Ho, Kavalam, and Wiik does not explicitly disclose restricting access 
by first referencing a prohibited list prior to the access control list. 

However, Wang discloses restricting access by first referencing a prohibited list prior to 
the access control list (Wang: paragraph [0033} lines 1-3; The black-list is the prohibited list and the while-list 
is the access allowed list.). 
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It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to further modify the previously mentioned combination with the teachings of Wang 
noted above for the purpose of modifying the order in which the lists are accessed. The skilled 
artisan would have been motivated to further improve the previously mentioned combination per 
the above such that the system is capable of checking a black list of access rights prior to 
checking an access rights allowed list (Wang: paragraph [0033], lines 1-3). Checking. the smaller 
black list first can result in saving processing time because the system may not have to search the 
larger white list. 

Response to Arguments 

Applicant Argues: 

In sum, the Applicants argued that the person of ordinary skill would not find motivation or 
advantage in combining Kavalam and Ho or in combining Wiik with Kavalam, and that no one of these 
references suggests to look at the BL first, and then to the ACL, as required by the present claim. In other 
words, while the invention provides the advantage of faster and shorten security clearance (or prohibition), 
none of the applied references provides the advantage, and in fact, any combination of references would 
simply provide redundancies in access and/or prohibition. 

Examiner Responds: 

Examiner is not persuaded. The only thing remotely redundant about the 

references is that all the references deal with the topic of access control. The Ho 
reference specifically deals with access control lists which control who can access 
things. The Wiik reference deals with black lists which control who cannot access 
things. And the Kavalam reference simply provides the suggestion that a computer 
system should have a means for 'locking down' a work station when malicious 
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activities is detected. Therefore, one of ordinary skill in the art would look to modify 
the Ho reference with the teachings of Wiik in light of the suggestion of Kavalam. 

The Wang reference is added to the previously mentioned combination solely to 
disclose the. feature of checking a black-list (prohibited list) before checking a white-list 
(access allowed list). The Examiner believes that this feature would have been obvious 
to one of ordinary skill in the art at the time the invention was made. The rejection 
given under 35 U.S.C. 103(a) is upheld. 
Applicant Argues: 

In addition, claim 17 requires that the distribution module of each access controller send out the 
user information or the jjpdated prohibition list to a predetermined other one of the access controllers, 
thereby transmitting the user information or the updated prohibition list from one access controller to 
another . During the telephone interview, the Applicants argued that this chaining of transmitting user 
information or an updated prohibition list from one access controller to another is not taught by Wiik, which 
at most suggest a broadcast update of a BL. The.Examiner indicated that he would reconsider this 
rejection in light of the arguments upon the filing of a Reply. 

Examiner Responds: 

Examiner is not persuaded. The Examiner did look at the claims in light of the 
arguments raised by the Applicant in the telephone interview. However, the Examiner still 
believes the cited combination of references discloses all the elements of the Applicant's 
invention as claimed. 

As noted above, claim 17 recites "at least one of the access controllers. . .further 
comprising a distribution module..." The Examiner decided to give this limitation its broadest 
reasonable interpretation and assume that only one access controller has a distribution module. 
If this is the case, the last limitation of the claim, which recites "wherein the distribution module 
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of each access controller../' is not valid because it has already been assumed that only one 
access controller has a distribution module and that access controller is the main access 
controller (lock communicator). The remaining access controllers are not capable of 
transmitting the prohibition list because they do not have a distribution module, since only one 
access controller has a distribution module. These remaining access controllers can only receive 
the prohibition list. 

The preceding office action shows that all the limitations of the claimed invention are 
clearly disclosed by the cited combination of references when the claims are interpreted in the 
manner described immediately above. Therefore, the rejection given under 35 U.S.C. 103(a) is 
upheld. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Patrick A. Darno whose telephone number is (571) 272-0788. 
The examiner can normally be reached on Monday - Friday, 9:00 am - 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Don Wong can be reached on (571) 272-1834. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
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system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Patrick A. Darno 
Examiner 
Art Unit 2 163 
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